MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture - PowerPoint PPT Presentation

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 17

HOW TO CONSTRUCT NIZK IN THE CRS MODEL Step 1. Review our number theory hammers & polish them. Step 2. Construct NIZK for a special NP language, namely quadratic non -residuosity. Step 3. Bootstrap to NIZK for 3SAT, an NP-complete language.

3SAT Boolean Variables: 𝑦 ! can be either true (1) or false (0) A Literal is either 𝑦 ! or " 𝑦 ! . A Clause is a disjunction of literals. E.g. 𝑦 " ∨ 𝑦 # ∨ 𝑦 $ A Clause is true if any one of the literals is true.

3SAT Boolean Variables: 𝑦 ! can be either true (1) or false (0) A Literal is either 𝑦 ! or " 𝑦 ! . A Clause is a disjunction of literals. E.g. 𝑦 " ∨ 𝑦 # ∨ 𝑦 $ is true as long as: (𝑦 " , 𝑦 # , 𝑦 $ ) ≠ (0,0,1)

3SAT Boolean Variables: 𝑦 ! can be either true (1) or false (0) A Literal is either 𝑦 ! or " 𝑦 ! . A 3-Clause is a disjunction of 3-literals. A 3-SAT formula is a conjunction of many 3-clauses. E.g. 𝛀 = ( 𝑦 " ∨ 𝑦 # ∨ 𝑦 $ ) ∧ ( 𝑦 " ∨ 𝑦 % ∨ 𝑦 & ) ( 𝑦 # ∨ 𝑦 % ∨ 𝑦 $ ) A 3-SAT formula 𝛀 is satisfiable if there is an assignment of values to the variables 𝑦 ! that makes all its clauses true.

3SAT Cook-Levin Theorem: It is NP-complete to decide whether a 3-SAT formula 𝛀 is satisfiable. A 3-SAT formula is a conjunction of many 3-clauses. E.g. 𝛀 = ( 𝑦 " ∨ 𝑦 # ∨ 𝑦 $ ) ∧ ( 𝑦 " ∨ 𝑦 % ∨ 𝑦 & ) ( 𝑦 # ∨ 𝑦 % ∨ 𝑦 $ ) A 3-SAT formula 𝛀 is satisfiable if there is an assignment of values to the variables 𝑦 ! that makes all its clauses true.

NIZK for 3SAT: Recall… We saw a way to show that a pair (𝑶, 𝒛) is GOOD. That is: ∗ and the following is the picture of 𝑎 ) • for every 𝑠 ∈ 𝐾𝑏𝑑 (" , either 𝑠 or 𝑠𝑧 is a quadratic residue. • ∗ 𝑎 ) 𝑅𝑆 ) 𝐾𝑏𝑑 (" 𝐾𝑏𝑑 '" 𝑅𝑂𝑆 )

NIZK for 3SAT (" ) +,-./ 0123/- 𝐷𝑆𝑇 = (𝑠 " , 𝑠 # , … , 𝑠 +,-./ 0123/- ) ← (𝐾𝑏𝑑 ) 𝛀 𝛀 (𝑂, 𝑧, 𝜌) Satisfying assignment (w ! , w " , … , w # ) 1. Prover picks an (𝑂, 𝑧) and proves that it is GOOD. Input: 𝛀 = ( 𝑦 " ∨ 𝑦 # ∨ 𝑦 $ ) ∧ ( 𝑦 " ∨ 𝑦 % ∨ 𝑦 & ) ( 𝑦 # ∨ 𝑦 % ∨ 𝑦 $ ) n variables, m clauses.

NIZK for 3SAT (" ) +,-./ 0123/- 𝐷𝑆𝑇 = (𝑠 " , 𝑠 # , … , 𝑠 +,-./ 0123/- ) ← (𝐾𝑏𝑑 ) 𝛀 𝛀 (𝑂, 𝑧, 𝜌) Satisfying assignment (w ! , w " , … , w # ) 2. Prover encodes the satisfying assignment 𝑧 ! ← 𝑅𝑆 ) if 𝑦 ! is false 𝑧 ! ← 𝑅𝑂𝑆 ) if 𝑦 ! is true

NIZK for 3SAT (" ) +,-./ 0123/- 𝐷𝑆𝑇 = (𝑠 " , 𝑠 # , … , 𝑠 +,-./ 0123/- ) ← (𝐾𝑏𝑑 ) 𝛀 𝛀 (𝑂, 𝑧, 𝜌) Satisfying assignment (w ! , w " , … , w # ) 2. Prover encodes the satisfying assignment & ∴ the literals 𝐹𝑜𝑑 𝑦 ! = 𝑧 ! , then 𝐹𝑜𝑑 " 𝑦 ! = 𝑧𝑧 ! ∴ exactly one of 𝐹𝑜𝑑 𝑦 ! 𝑝𝑠 𝐹𝑜𝑑 " 𝑦 ! is a non-residue.

NIZK for 3SAT (" ) +,-./ 0123/- 𝐷𝑆𝑇 = (𝑠 " , 𝑠 # , … , 𝑠 +,-./ 0123/- ) ← (𝐾𝑏𝑑 ) (𝑂, 𝑧, 𝜌) 𝛀 𝛀 Encode vars: (𝑧 ! , … , 𝑧 " ) Satisfying assignment (w ! , w " , … , w # ) 2. Prover encodes the satisfying assignment & ∴ the literals 𝐹𝑜𝑑 𝑦 ! = 𝑧 ! , then 𝐹𝑜𝑑 " 𝑦 ! = 𝑧𝑧 ! ∴ exactly one of 𝐹𝑜𝑑 𝑦 ! 𝑝𝑠 𝐹𝑜𝑑 " 𝑦 ! is a non-residue.

NIZK for 3SAT (" ) +,-./ 0123/- 𝐷𝑆𝑇 = (𝑠 " , 𝑠 # , … , 𝑠 +,-./ 0123/- ) ← (𝐾𝑏𝑑 ) (𝑂, 𝑧, 𝜌) 𝛀 𝛀 Encode vars: (𝑧 ! , … , 𝑧 " ) Satisfying assignment (w ! , w " , … , w # ) 3. Prove that (encoded) assignment satisfies each clause. For each clause, say 𝑦 " ∨ 𝑦 # ∨ 𝑦 $ , For each clause, say 𝑦 " ∨ 𝑦 # ∨ 𝑦 $ , let ( 𝑏 " = 𝑧 " , 𝑐 " = let ( 𝑏 " , 𝑐 " , 𝑑 " ) denote the encoded variables. 𝑧 # , 𝑑 " = 𝑧𝑧 $ ) denote the encoded variables. So, each of them is either 𝑧 ! (if the literal is a var) or 𝑧𝑧 ! (if the literal is a negated var).

NIZK for 3SAT (" ) +,-./ 0123/- 𝐷𝑆𝑇 = (𝑠 " , 𝑠 # , … , 𝑠 +,-./ 0123/- ) ← (𝐾𝑏𝑑 ) (𝑂, 𝑧, 𝜌) 𝛀 𝛀 Encode vars: (𝑧 ! , … , 𝑧 " ) Satisfying assignment (w ! , w " , … , w # ) 3. Prove that (encoded) assignment satisfies each clause. For each clause, say 𝑦 " ∨ 𝑦 # ∨ 𝑦 $ , let ( 𝑏 " , 𝑐 " , 𝑑 " ) denote the encoded variables. WANT to SHOW: 𝑦 " 𝑃𝑆 𝑦 # 𝑃𝑆 𝑦 $ is true.

NIZK for 3SAT (" ) +,-./ 0123/- 𝐷𝑆𝑇 = (𝑠 " , 𝑠 # , … , 𝑠 +,-./ 0123/- ) ← (𝐾𝑏𝑑 ) (𝑂, 𝑧, 𝜌) 𝛀 𝛀 Encode vars: (𝑧 ! , … , 𝑧 " ) Satisfying assignment (w ! , w " , … , w # ) 3. Prove that (encoded) assignment satisfies each clause. For each clause, say 𝑦 " ∨ 𝑦 # ∨ 𝑦 $ , let ( 𝑏 " , 𝑐 " , 𝑑 " ) denote the encoded variables. WANT to SHOW: 𝑏 " 𝑃𝑆 𝑐 " 𝑃𝑆 𝑑 " is a non-residue.

NIZK for 3SAT Prove that (encoded) assignment satisfies each clause. WANT to SHOW: 𝑏 " 𝑃𝑆 𝑐 " 𝑃𝑆 𝑑 " is a non-residue. Equiv: The “signature” of ( 𝑏 " , 𝑐 " , 𝑑 " ) is NOT (QR, QR, QR). CLEVER IDEA: Generate seven additional triples ( 𝑏 ! , 𝑐 ! , 𝑑 ! ) “Proof of Coverage”: ( 𝑏 " , 𝑐 " , 𝑑 " ) original triple show that the 8 triples span ( 𝑏 # , 𝑐 # , 𝑑 # ) show this is a QR: all possible QR signatures reveal the square roots ( 𝑏 $ , 𝑐 $ , 𝑑 $ ) ( 𝑏 % , 𝑐 % , 𝑑 % ) ( 𝑏 & , 𝑐 & , 𝑑 & ) ( 𝑏 ' , 𝑐 ' , 𝑑 ' ) ( 𝑏 ( , 𝑐 ( , 𝑑 ( )

NIZK for 3SAT CLEVER IDEA: Generate seven additional triples ( 𝑏 ! , 𝑐 ! , 𝑑 ! ) ( 𝑏 " , 𝑐 " , 𝑑 " ) original triple “Proof of Coverage”: ( 𝑏 # , 𝑐 # , 𝑑 # ) show this is a QR: show that the 8 triples span reveal the square roots all possible QR signatures ( 𝑏 $ , 𝑐 $ , 𝑑 $ ) ( 𝑏 % , 𝑐 % , 𝑑 % ) ( 𝑏 & , 𝑐 & , 𝑑 & ) ( 𝑏 ' , 𝑐 ' , 𝑑 ' ) ( 𝑏 ( , 𝑐 ( , 𝑑 ( ) Proof of Coverage: For each of poly many triples (𝑠, 𝑡, 𝑢) from CRS, show one of the 8 triples has the same signature. That is, there is a triple (𝑏 ! , 𝑐 ! , 𝑑 ! ) s.t. (𝑠𝑏 ! , 𝑡𝑐 ! , 𝑢𝑑 ! ) is 𝑅𝑆, 𝑅𝑆, 𝑅𝑆 .

NIZK for 3SAT (" ) +,-./ 0123/- 𝐷𝑆𝑇 = (𝑠 " , 𝑠 # , … , 𝑠 +,-./ 0123/- ) ← (𝐾𝑏𝑑 ) (𝑂, 𝑧, 𝜌) 𝛀 𝛀 Encode vars: (𝑧 ! , … , 𝑧 " ) Satisfying assignment (w ! , w " , … , w # ) For each clause 𝜔 : 𝜍 # 3. Prove that (encoded) assignment satisfies each clause. For each clause, construct the proof ρ = (7 additional triples, square root of the second triples, proof of coverage).

NIZK for 3SAT (" ) +,-./ 0123/- 𝐷𝑆𝑇 = (𝑠 " , 𝑠 # , … , 𝑠 +,-./ 0123/- ) ← (𝐾𝑏𝑑 ) (𝑂, 𝑧, 𝜌) 𝛀 𝛀 Encode vars: (𝑧 ! , … , 𝑧 " ) Satisfying assignment (w ! , w " , … , w # ) For each clause 𝜔 : 𝜍 # Completeness & Soundness: Exercise. Zero Knowledge: Simulator picks (𝑂, 𝑧) where 𝑧 is a quadratic residue . Now, encodings of ALL the literals can be set to TRUE!!

HOW TO CONSTRUCT NIZK IN THE CRS MODEL Step 1. Review our number theory hammers & polish them. Step 2. Construct NIZK for a special NP language, namely quadratic non -residuosity. Step 3. Bootstrap to NIZK for 3SAT, an NP-complete language.

An Application of NIZK: Non-malleable and Chosen Ciphertext Secure Encryption Schemes

Non-Malleability m ← Dec( sk ,c) c ← Enc( pk ,m) sk Public-key directory Bob pk

Active Attacks 1: Malleability c ← Enc(pk,$100) sk c’ = Enc(pk,$101) ATTACK: Adversary could modify (“maul”) an encryption of m into an encryption of a related message m’.

Active Attacks 2: Chosen-Ciphertext Attack c* ← Enc(pk,m) sk ATTACK: Adversary may have access to a decryption In fact, Bleichenbacher showed how to extract the entire “oracle” and can use it to break security of a ”target” secret key given only a “ciphertext verification” oracle. ciphertext c* or even extract the secret key!

IND-CCA Security Challenger Eve 𝑞𝑙 𝑞𝑙, 𝑡𝑙 ← 𝐻𝑓𝑜 1 ) 𝒅 𝒋 𝑬𝒇𝒅(𝒕𝒍, 𝒅 𝒋 ) ∗ = |𝑛 ! ∗ , 𝑛 ! ∗ ∗ | 𝑛 , 𝑡. 𝑢. 𝑛 , 𝑐 ← 0,1 ; 𝑑 ∗ ← 𝐹𝑜𝑑(𝑞𝑙, 𝑛 + ∗ ) 𝒅 ∗ 𝒅 𝒋 ≠ 𝒅 ∗ 𝒅 𝒋 𝑬𝒇𝒅(𝒕𝒍, 𝒅 𝒋 ) 𝑬𝒇𝒅(𝒕𝒍, 𝒅 𝒋 ) Eve wins if 𝑐 $ = 𝑐 . IND-CCA secure if no 𝑐′ PPT Eve can win with prob. > ! % + negl(𝑜) .